Eight sales pitches went head to head in our Security Innovators Throwdown competition to find the most innovative security products and services from young companies.
Fraud in today's financial websites is a serious problem. It is growing at breakneck speed with the introduction of new forms of crimeware, much of which is built to the standards that we, as legitimate software purchasers, expect from commercial products. Our second runner-up, Silver Tail Systems, has taken on the fraud community with a suite of three products, one of which the company showed at the Throwdown.
Silver Tail is an interesting firm. The founders and key managers are alumni of eBay, Google, PayPal, IBM and the National Security Agency. These folks have spent their professional lives fighting fraud and have come together at a forward-thinking company to build fraud-fighting software and services. At last year's Throwdown, we saw Silver Tail's forensic product and it garnered a lot of interest. This year, the company showed its new tool called Mitigation.
Mitigation interacts with websites and responds to every mouse click. It is rule-based and is the near-perfect tool for addressing today's modern fraud techniques, such as screen scraping. But the real power in Mitigation is its ability to modify a website's business flows to circumvent fraudulent behavior without rewriting the website code. This is important for two reasons.
First, it takes a long time for IT resources to analyze bad behavior, figure out mitigation, write the code, test it, put it into production and deploy it to web servers. Second, once that time and effort has been expended, it takes the bad guys just a relatively small amount of time to change their behavior and address another weakness.
Mitigation also works well with Silver Tail Systems Forensics. That tool helps develop policies that tell Mitigation what needs to be done. Mitigation and Forensics are a help-desk-in-a-box for addressing fraud.
So, given all of that, what kinds of fraud are we talking about? I watched a very interesting demo as I was discussing the product with one of the founders. A fraudster had planted malware that scraped the screen and sent the information home. It then used that to create a false screen while it looted the accounts that the screen represented.
Since, basically, Mitigation is a rules engine, all that was necessary was to tell it what bad behavior we were concerned with - screen scraping, for example. Once we knew that, we could write a rule to prevent it. Not only were we able to quickly write the rule to prevent the bad behavior, we were able to do it so that legitimate users never knew that we had done anything. That was important because the fraud would have reflected in the users' interactions with the site, and changes would, potentially, alter the way they performed those interactions. Because the system adds web server filters, deployment takes less time than changing HTML code in the web pages themselves.
Simply fixing the problem is not enough, though. You must also know that a problem is occurring and must have a way to analyze it. Analysis can come from Silver Tail Systems Forensics, to be sure, but it also can come from your SIEM product. Add to that a case management tool available from Silver Tail, and you have a pretty powerful system.
Another aspect that impressed us was the scalability of the product. We were enthused by this last year as well when we saw the Silver Tail Systems Forensics tool: 300,000 clicks per second is a lot of clicks in not much time. However, a large web farm takes a lot of traffic, and if the anti-fraud tool chokes at heavy volume it may not be of much use. That certainly is not the case here.
Fraud is a major problem today, and the targets of fraud are legitimate web users. Unfortunately, there are many tools that help fraudsters get around anti-fraud products. The Silver Tail suite of anti-fraud systems is a very good starting point in our view and the view of the other judges at the Throwdown. Mitigation rounds out that suite by providing a rapid solution to the HTML reconfiguration problem that used to be the only way to combat fraud against websites.